Millions Of Open Servers Are Helping To Set Off Huge Digital Bombs

Spamhaus attacks show how the Internet’s millions of open DNS resolvers are ‘the scourge of the Internet’

Digital bombs are going off across the Internet, smashing websites offline with incredible force. That’s partly because attackers are able to use at least 25 million open servers vital to Internet infrastructure to power their strikes. What’s concerning is that not all of those servers can be closed off, meaning many will remain at the disposal of malicious actors.

This past week saw what is believed to be one of the biggest Distributed Denial of Service (DDoS) strikes ever recorded, highlighting the terrifying power attackers can now generate. The attacks were aimed at Spamhaus, a not-for-profit organisation that attempts to counter spam.

After it put a Dutch hosting company, Cyberbunker, on a blacklist, Spamhaus was struck by a DDoS that used an increasingly popular amplification technique. Such blacklists are used by email admins to filter out unwanted messages.

Servers used as weapons

Cyberbunker, which is based out of a five-story former NATO bunker, had not responded to a request for comment at the time of publication. It says on its official website it offers services “to those that some would like to see offline”.

According to a spokesperson for the attackers, Cyberbunker was retaliating against Spamhaus for abusing its influence. Reports have claimed there was collateral damage, resulting in everyday Internet users experiencing poor access, although there was certainly no widespread outage (for a full run-down of how the attacks affected the wider Internet, see this blog post from CloudFlare)

The DDoS hits, which are thought to have ranged from 75Gbps up to 300Gbps in power, came from what is known as DNS reflection – a way to amplify traffic to swamp servers and take websites offline. These attacks rely on what are known as “open recursive resolvers”, used in the DNS process, where URLs are translated to IP addresses, so people can access websites by typing in names (e.g. Google.com) rather than numbers (e.g. 216.239.51.99).

Attackers spoof themselves an IP address – the one belonging to their target. They then make a large number of requests for DNS zone files – which contain mappings between domain names and IP addresses – to open DNS resolvers. The resolvers respond and send back a load of traffic to the victim, clogging up their pipes and taking them offline.

The big problem here, and this is a serious issue facing the Internet in general, is that there are 25 million of these resolvers, posing a significant threat, according to the Open DNS Resolver Project, which released figures late last week. With Spamhaus, 30,000 unique DNS resolvers were used, most likely via a botnet.

The Spamhaus attacker sent requests for the DNS zone file for ripe.net to open DNS resolvers, spoofing IPs issued for Spamhaus by the company it called in for protection – CloudFlare. The open resolvers responded, sending back around 75Gbps of attack traffic, according to CloudFlare.

DNS resolvers ‘scourge of the Internet’

“Open DNS resolvers are quickly becoming the scourge of the Internet and the size of these attacks will only continue to rise until all providers make a concerted effort to close them,” CloudFlare wrote in a blog post.

ISPs have been called on to address the issue, as they can carry out better checks on IP address spoofing. TechWeekEurope asked BT, the UK’s largest ISP, what it was doing to counter such attacks, but t had not responded at the time of publication.

Darren Anstee, team manager for network security firm Arbor Networks, said there were a number of steps service providers could take, one of which is called “ingress filtering”, which stops any subscriber from spoofing, throwing packets away from spoofed IPs.

“There is an operational overhead to doing that… which is why some of them don’t do it,” he told TechWeekEurope.

DNS servers can also be locked down by ISPs to stop accepting requests from specific address ranges too, but that is only possible on some servers. Many have to accept requests from everybody, meaning there will always be open resolvers for hackers to use as weapons.

With such power generated with such little effort, Spamhaus might want to continue ramping up its defences. It has gained itself a number of enemies in the past after placing them on its blacklist.

The debate over advanced evasion techniques (AETs). To assess what IT security professionals understand about AETs and what measures have been put in place to stop them, McAfee commissioned Vanson Bourne in January 2014 to survey 800 CIOs and security managers from the US, UK, Germany, France, Australia, Brazil, and South Africa.

The need for robust network security is growing, but IT security teams, resources, and budgets are shrinking at many organizations. That doesn’t mean you have to scale down your growth or skimp on key IT security areas, but it does mean you need to optimize your resources, starting with your network firewall team. Resource optimization […]

Akamai’s globally-distributed Intelligent Platform allows us to gather massive amounts of data on many metrics, including connection speeds, attack traffic, network connectivity/ availability issues, and IPv6 adoption progress, as well as traffic patterns across leading Web properties and digital media providers. Each quarter, Akamai publishes the State of the Internet Report.

A quick look at why authentication, authorization and accounting – or AAA and RA DIUS – were developed can easily take you back more than a decade. Acronyms and phrases like modems, roaming between ISPs, UNI X, and AOL come to mind. Users had one device and were chained to wired desktops. And IT managed […]

For every attack hackers can make these days, there is a circumvention available. People can still access websites by their IP addresses without using DNS system. For example, that is what DNS caching software, Portable DNS Cache, does. It gets data from DNS servers only once, stores it locally, and doesn’t query DNS again. So there is no need in DNS servers for the sites that have been visited before.